Zoom Doesn't Support End-To-End Encryption During Online Meetings
On Tuesday, UK's Prime Minister, Boris Johnson, posted a tweet with which he showed his followers how his cabinet is working during the crisis caused by the novel coronavirus. The photo showed an online meeting between Prime Minister Johnson and his colleagues, and its goal was simple – to assure the nation that even in these terrible times, the UK's politicians continue to work for the greater good of everybody. For some people, it probably did its job as a morale booster. Among the security community, however, it raised quite a few eyebrows.
The screenshot shows that the UK's main governing body communicates through Zoom, a video conferencing platform that has been through a massive usage spike thanks to the millions of people that are currently working from home. As a video conferencing solution, Zoom is pretty solid, but security specialists thought that an organization as important as the UK government would probably use something custom and tailored to its needs. The second thing information security specialists noticed was that the Zoom meeting ID was clearly visible from Boris Johnson's tweet, which isn't really a very good idea, especially when the matters discussed during the said meeting are so sensitive. Then, people started poking through Zoom's marketing materials, and things got worse.
Zoom meetings can't be encrypted End-to-End at this point
Also on Tuesday, The Intercept published a report regarding one of the options Zoom gives its users, and politicians and people in charge of big organizations should probably read through it carefully.
When creating a Zoom meeting, a user can enable "encryption for 3rd party endpoints." If they do so, the participants will be told that the meeting is end-to-end encrypted. The security white paper Zoom has published on its website also suggests that this type of encryption is possible for meetings, but The Intercept's investigation revealed that this is simply not true.
Zoom video meetings are encrypted, but the encryption is not end-to-end. Instead, the video and audio pass through a normal TLS or Transport Layer Security connection. It's the same technology websites and applications use when they serve content through HTTPS. The Intercept reached out to Zoom for comment, and a spokesperson admitted that because of technological limitations, true end-to-end encryption is only available for chats going through the platform. But what does that actually mean for the people who use the service?
How does the lack of end-to-end encryption impact users?
Messaging applications like WhatsApp and Telegram won't shy away from touting the use of end-to-end encryption and its privacy benefits. The main advantage of end-to-end encrypted communication is that although the information passes through the service provider's servers, the service provider itself doesn't have the means of decrypting it.
In the case of Zoom, thanks to TLS, the meetings are protected from anyone sniffing through the audio and video transmission while it's traveling between users' devices and Zoom's servers. When it's on the servers, however, Zoom employees can theoretically decrypt it. Are they going to do it?
Law enforcement agencies might ask the online conferencing platform to disclose data on particular individuals, but the likelihood of you being impacted by this is not that great. The lack of end-to-end encryption is certainly a problem for politicians like Boris Johnson, but for most people who are currently working from home, it shouldn't be that big of a deal. What is a problem, however, is Zoom's initial attempt to downplay the mistake.
After being asked about what caused this confusion, a Zoom spokesperson told The Intercept that by "end-to-end encryption," they meant that the data is encrypted on all different "Zoom end points," and by "end points," they meant users' devices. This sort of liberal interpretation of well-defined concepts isn't really acceptable, especially when you bear in mind that the platform we're talking about is used by the governments of some of the world's superpowers. Eventually, Zoom realized that it's not doing itself any favors, and yesterday, it published a blog post with which it admitted that it let its marketing team get a bit carried away. The developers of the platform apologized about the confusion, and it's now up to Boris Johnson and millions of other Zoom users to decide whether to accept the apology. While he's at it, Mr. Johnson might also think about the cybersecurity precautions his cabinet takes during the organization of its online meetings.